Data Protection Act 1998 - Principles
When it comes to the information we hold about you, your rights are set out clearly in the law. The Data Protection Act 1998 provides also that people who record and use personal data must be open about how it is used and that they must comply with the eight Data Protection Principles.
In some instances, the law exempts us from these principles. This is normally where obeying the principles would damage the fight against crime, or be against the national interest in some way.
The next part of this document explains what the Data Protection Principles are and how we obey them. Remember, it is simply an explanation and does not attempt to replace the Act itself.
In broad terms, the Data Protection Principles state that when we are dealing with people's personal information, we must:
First Principle - Process it fair and lawful
Processing includes "obtaining, recording or holding information". We must only obtain it fairly and lawfully. We have to tell you why the information is needed and how we may use it. We have explained this in previous sections of this document. We only process the information in ways that the law allows.
There are "conditions for processing" personal data. These conditions are set out in Schedule 2 of the Data Protection Act. The "conditions for processing" sensitive personal data is set out in Schedule 3 of the Act. Information is considered to be sensitive if it deals with racial or ethnic origin; political opinions; religion; trade union membership; physical or mental health; sexual life; and offences or convictions and court proceedings.
When processing personal data we must comply with at least one of the following conditions, unless a relevant exemption applies:
- The individual who the personal data is about has consented to the processing.
- The processing is necessary:
- in relation to a contract which the individual has entered into; or
- because the individual has asked for something to be done so they can enter into a contract.
- The processing is necessary because of a legal obligation that applies to you (except an obligation imposed by a contract).
- The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions.
- The processing is in accordance with the "legitimate interests" condition.
When processing sensitive personal information, we must comply with the at least one of the above conditions and, at least one of several other conditions. These other conditions are as follows:
- The individual who the sensitive personal data is about has given explicit consent to the processing.
- The processing is necessary so that you can comply with employment law.
- The processing is necessary to protect the vital interests of:
- the individual (in a case where the individual's consent cannot be given or reasonably obtained), or
- another person (in a case where the individual's consent has been unreasonably withheld).
- The processing is carried out by a not-for-profit organisation and does not involve disclosing personal data to a third party, unless the individual consents. Extra limitations apply to this condition.
- The individual has deliberately made the information public.
- The processing is necessary in relation to legal proceedings; for obtaining legal advice; or otherwise for establishing, exercising or defending legal rights.
- The processing is necessary for administering justice, or for exercising statutory or governmental functions.
- The processing is necessary for medical purposes, and is undertaken by a health professional or by someone who is subject to an equivalent duty of confidentiality.
- The processing is necessary for monitoring equality of opportunity, and is carried out with appropriate safeguards for the rights of individuals.
Second Principle - Process it for specific purposes and not in any manner incompatible with those purposes
This means that your personal information will be processed only in ways that the law allows and only for purposes connected with your application, recruitment or employment.
Third Principle - Only process information that is adequate, relevant and not excessive
This means that we will only process the information that we need to do our job.
Fourth Principle - Ensure that the information is accurate and kept up to date.
This means that we will do all that we reasonably can to ensure that we hold only accurate information. We will review it regularly. We will take all reasonable steps to ensure that the information we hold on you is accurate and up to date. Where this is proved not to be the case, we will either delete it or update it.
Fifth Principle - Ensure that the information is not kept longer than is necessary.
As explained at Section 4, "Do we have any other uses for the information you have provided", information that you provide at the time of the recruitment campaign will be held on your personal record if you become an employee of the Civil Service. All recruitment related papers will be retained for 12 months from the end of the competition. The term ‘papers' refers to the advertisement, application forms, sift criteria, selective panel report, campaign summary, statistics and any other relevant papers relating to the competition. After the 12 month period, data will be archived but will be kept for a further 24 months.
Sixth Principle - Ensure that the information is treated in accordance with your rights.
"Personal data shall be processed in accordance with the rights of data subjects under this Act."
This is the sixth data protection principle, and the rights of individuals that it refers to are:
- A right of access to a copy of the information comprised in their personal data;
- A right to object to processing that is likely to cause or is causing damage or distress;
- A right to prevent processing for direct marketing;
- A right to object to decisions being taken by automated means;
- A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and
- A right to claim compensation for damages caused by a breach of the Act.
Seventh Principle - Take care of your personal information.
This means that we will do everything necessary to take very good care of any personal information that we hold on you. This includes:
- Ensuring the integrity of the staff that have access to your personal information
- Treating your personal information as confidential and in accordance with our formal procedures for the handling and storage of personal information
Eighth Principle - Ensure that your personal information is not transferred outside the European Economic Area unless there are suitable safeguards in the countries to which it is to be sent.
This Principle is unlikely to affect your application but, for example, if you were to be employed by the Civil Service and decided to take up a posting overseas, some of your personal information may need to be released to the country where you have chosen to work.
You can find out more about the Data Protection Act 1998 at: http://www.ico.org.uk/ or by writing to:
Information Commissioner's Office